Cloud computing in its many forms creates tremendous new opportunities for cost savings, flexibility, scalability and improved computing performance for government, enterprises and citizens. At the same time, it presents new security, privacy and reliability challenges, which raise questions about functional responsibility (who must maintain controls) and legal accountability (who is legally accountable if those controls fail). Customers, including the government, need to make informed decisions about adoption of the cloud and its various service models because the model that is embraced will entail different allocations of responsibility between the customer and the cloud provider(s).

This shifting responsibility requires that both cloud providers and governments take seriously their distinct and shared responsibilities for addressing the security, privacy and reliability of cloud services. Both customers and cloud providers must understand their respective roles. Customers must be able to communicate their compliance requirements, and cloud providers must be transparent about the controls in place to meet those requirements:

Build-in Security and Privacy and Reliability: Cloud providers must ensure that they put security, privacy and reliability at the center of the design of their cloud service offerings. For our part, Microsoft uses the Secure Development Lifecycle to ensure that both security and privacy are built into the development of our cloud offerings. By building and managing resilient infrastructure with trustworthy people, we can ensure high availability and commit to 99.9 percent uptime and 24×7 support in our service level agreements. The government could – and should – require that its cloud vendors demonstrate secure development practices and transparent response processes for their applications. You can read more about Microsoft’s cloud security efforts here.

Communicate Clear Requirements: Moving to the cloud does not eliminate federal agencies’ responsibilities for meeting security, privacy and reliability requirements. Agencies must first identify and communicate requirements and expectations prior to transferring the responsibility for these functions to cloud providers. Articulating these requirements is an important step in adapting to the cloud and effectively integrating it into the federal enterprise. The Federal Risk and Authorization Management Program (FedRAMP) is an important initial effort to provide joint security authorization for large outsourced systems.

Require Privacy Provisions: Government should help improve the transparency of data handling and privacy practices for cloud providers by requiring better notice of how information is collected and used. Congress, the Executive Branch and the Federal Trade Commission should work together to promote transparency around cloud computing providers’ privacy and security practices, empowering users to make informed choices.

Clarify Jurisdictional Access and Data Handling Rules: The government must help clarify the laws governing data in the cloud. Cloud computing moves data that once lived with the customer to the provider, which creates new questions about how to respond to government and law enforcement requests for information. Congress should clarify and update the Electronic Communications Privacy Act (ECPA) in order to properly account for citizens’ reasonable privacy expectations. In addition, cloud services work best when data is able to flow freely around the globe. Unfortunately, global data flows are not well addressed by current privacy laws in the United States and around the world. The government should work with other countries and with industry to develop a data protection framework that accounts for global data flows created by cloud computing.

In addition to speaking about security, privacy, and reliability, I raised one other issue worthy of note. The mechanisms to provide identity, authentication and attribution in cyberspace do not yet meet the needs of citizens, enterprises or governments in traditional computing environments or for the cloud. This inability to manage online identities well puts computer users at risk and reduces their trust in the IT ecosystem.

The cloud only amplifies the need for more robust identity management to help solve some of the fundamental security and privacy problems inherent in current Internet systems. As people move more and more of their data to the cloud, and share resources across cloud platforms, their credentials are the key to accessing that data. The draft National Strategy for Trusted Identities in Cyberspace, recently released by the White House, represents significant progress to help improve the ability to identify and authenticate the organizations, individuals and underlying infrastructure involved in an online transaction. Government and industry must continue to work together on this initiative, as well as on advancing standards and formats on both a national as well as a global basis, to enable a robust identity ecosystem.

Microsoft is committed to helping the federal government as it looks to adopt cloud computing services. As part of this effort, we recently encouraged industry and policymakers to take action to build confidence in cloud computing, and proposed the Cloud Computing Advancement Act to promote innovation, protect consumers and provide government with new tools to address the critical issues of data privacy and security. In a recent interview on C-SPAN, Microsoft’s general counsel Brad Smith talked about the need for new rules to protect business and consumer information.

I thank Chairman Towns, Ranking Member Issa, Chairwoman Watson, Ranking Member Bilbray and members of the House Committee on Oversight and Government reform for their leadership on this important issue. I look forward to continuing to work with them, other Members of Congress, the Obama Administration and others in the industry on advancing government adoption of cloud computing. You can read my full testimony here.